Attackers Can Weaponize Firewalls and Middleboxes for Amplified DDoS Attacks
Aug 16, 2021
Weaknesses in the implementation of TCP protocol in middleboxes and censorship infrastructure could be weaponized as a vector to stage reflected denial of service (DoS) amplification attacks against any target, surpassing many of the existing UDP-based amplification factors to date. Detailed by a group of academics from the University of Maryland and the University of Colorado Boulder at the USENIX Security Symposium, the volumetric attacks take advantage of TCP-non-compliance in-network middleboxes — such as firewalls, intrusion prevention systems, and deep packet inspection (DPI) boxes — to amplify network traffic, with hundreds of thousands of IP addresses offering amplification factors exceeding those from DNS, NTP, and Memcached. The research, which received a Distinguished Paper Award at the conference, is the first of its kind to describe a technique to carry out DDoS reflected amplification attacks over the TCP protocol by abusing middlebox misconfigurations in the wild
